Scaleable input gradient regularization for adversarial robustness

Finlay, Chris; Oberman, Adam M.

doi:10.1016/j.mlwa.2020.100017

“…A set of 26 models trained without robustness penalties and 14 models trained using various robust optimization algorithms [18][19][20][21]37] were used in the analyses. We refer the reader to S1 Table for the complete list of models used in this work.…”

Section: Convolutional Neural Network Architecturesmentioning

confidence: 99%

“…Finally, the weight decay was set to 0.0001. The model trained with this algorithm is denoted as trades robust resnet50 linf 4 in S1 Table . Input gradient regularization [21] This algorithm seeks to improve the adversarial robustness of models by adding a regularization term to the cross-entropy loss. At a high-level, the regularization term penalizes the gradient of the loss function with respect to the input.…”

Section: Robust Modelsmentioning

confidence: 99%

“…For the models trained to be adversarially robust, the suffix corresponds to the norm constraint imposed on the size of the perturbation during model training. For example, robust resnet50 l2 3 corresponds to a ResNet-50 adversarially trained to be robust to perturbations, δ, of size at most δ 2 ≤ 3 [37], igr robust resnet50 corresponds to a ResNet-50 trained with input gradient regularization (IGR, [21]) and resnet50 simclr corresponds to a ResNet-50 trained with the SimCLR unsupervised loss function [47].…”

Section: Supporting Informationmentioning

confidence: 99%

“…In particular, these adversarial perturbations can cause the model to completely mis-classify the image even though it could correctly classify the unperturbed image, resulting in poor adversarial robustness [15]. This is clearly an issue in safety-critical applications (e.g., self-driving cars), so the machine learning community has been developing techniques to train these models to be more robust to adversarial perturbations [16][17][18][19][20][21]. These robust optimization techniques have been shown to be able to defend against very strong adversarial attacks, although there still exist perturbations that can fool models trained with these techniques.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Increasing neural network robustness improves match to macaque V1 eigenspectrum, spatial frequency preference and predictivity

Kong

¹

,

Margalit

²

,

Gardner

³

et al. 2021

Preprint

View full text Add to dashboard Cite

Task-optimized convolutional neural networks (CNNs) show striking similarities to the ventral visual stream. However, human-imperceptible image perturbations can cause a CNN to make incorrect predictions. Here we provide insight into this brittleness by investigating the representations of models that are either robust or not robust to image perturbations. Theory suggests that the robustness of a system to these perturbations could be related to the power law exponent of the eigenspectrum of its set of neural responses, where power law exponents closer to and larger than one would indicate a system that is less susceptible to input perturbations. We show that neural responses in mouse and macaque primary visual cortex (V1) obey the predictions of this theory, where their eigenspectra have power law exponents of at least one. We also find that the eigenspectra of model representations decay slowly relative to those observed in neurophysiology and that robust models have eigenspectra that decay slightly faster and have higher power law exponents than those of non-robust models. The slow decay of the eigenspectra suggests that substantial variance in the model responses is related to the encoding of fine stimulus features. We therefore investigated the spatial frequency tuning of artificial neurons and found that a large proportion of them preferred high spatial frequencies and that robust models had preferred spatial frequency distributions more aligned with the measured spatial frequency distribution of macaque V1 cells. Furthermore, robust models were quantitatively better models of V1 than non-robust models. Our results are consistent with other findings that there is a misalignment between human and machine perception. They also suggest that it may be useful to penalize slow-decaying eigenspectra or to bias models to extract features of lower spatial frequencies during task-optimization in order to improve robustness and V1 neural response predictivity.

show abstract

“…In particular, these adversarial perturbations can cause the model to completely mis-classify the image even though it could correctly classify the unperturbed image, resulting in poor adversarial robustness [15]. This is clearly an issue in safety-critical applications (e.g., self-driving cars), so the machine learning community has been developing techniques to train these models to be more robust to adversarial perturbations [16][17][18][19][20][21]. Robust optimization techniques have been shown to be able to defend against very strong adversarial attacks, although there still exist perturbations that can fool models trained with these techniques.…”

Section: Introductionmentioning

confidence: 99%

Increasing neural network robustness improves match to macaque V1 eigenspectrum, spatial frequency preference and predictivity

Kong

¹

,

Margalit

²

,

Gardner

³

et al. 2022

View full text Add to dashboard Cite

Task-optimized convolutional neural networks (CNNs) show striking similarities to the ventral visual stream. However, human-imperceptible image perturbations can cause a CNN to make incorrect predictions. Here we provide insight into this brittleness by investigating the representations of models that are either robust or not robust to image perturbations. Theory suggests that the robustness of a system to these perturbations could be related to the power law exponent of the eigenspectrum of its set of neural responses, where power law exponents closer to and larger than one would indicate a system that is less susceptible to input perturbations. We show that neural responses in mouse and macaque primary visual cortex (V1) obey the predictions of this theory, where their eigenspectra have power law exponents of at least one. We also find that the eigenspectra of model representations decay slowly relative to those observed in neurophysiology and that robust models have eigenspectra that decay slightly faster and have higher power law exponents than those of non-robust models. The slow decay of the eigenspectra suggests that substantial variance in the model responses is related to the encoding of fine stimulus features. We therefore investigated the spatial frequency tuning of artificial neurons and found that a large proportion of them preferred high spatial frequencies and that robust models had preferred spatial frequency distributions more aligned with the measured spatial frequency distribution of macaque V1 cells. Furthermore, robust models were quantitatively better models of V1 than non-robust models. Our results are consistent with other findings that there is a misalignment between human and machine perception. They also suggest that it may be useful to penalize slow-decaying eigenspectra or to bias models to extract features of lower spatial frequencies during task-optimization in order to improve robustness and V1 neural response predictivity.

show abstract

Social ODE: Multi-agent Trajectory Forecasting with Neural Ordinary Differential Equations

Song

¹

,

Wang

²

,

Metaxas

³

2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Anytime 3D human pose forecasting is crucial to synchronous real-world human-machine interaction, where the term "anytime" corresponds to predicting human pose at any real-valued time step. However, to the best of our knowledge, all the existing methods in human pose forecasting perform predictions at preset, discrete time intervals. Therefore, we introduce AnyPose, a lightweight continuous-time neural architecture that models human behavior dynamics with neural ordinary differential equations. We validate our framework on the Human3.6M, AMASS, and 3DPW dataset and conduct a series of comprehensive analyses towards comparison with existing methods and the intersection of human pose and neural ordinary differential equations. Our results demonstrate that AnyPose exhibits high-performance accuracy in predicting future poses and takes significantly lower computational time than traditional methods in solving anytime prediction tasks.

show abstract

Scaleable input gradient regularization for adversarial robustness

Cited by 40 publications

References 4 publications

Increasing neural network robustness improves match to macaque V1 eigenspectrum, spatial frequency preference and predictivity

Increasing neural network robustness improves match to macaque V1 eigenspectrum, spatial frequency preference and predictivity

Increasing neural network robustness improves match to macaque V1 eigenspectrum, spatial frequency preference and predictivity

Social ODE: Multi-agent Trajectory Forecasting with Neural Ordinary Differential Equations

Contact Info

Product

Resources

About